From 575e5e4e51e01aed1044cd8ba9e00a9631eba794 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Wed, 2 Aug 2017 20:48:12 +0300 Subject: gnu: glibc@2.24: Fix CVE-2015-5180. * gnu/packages/base.scm (glibc@2.24)[source]: Add patch. * gnu/packages/patches/glibc-CVE-2015-5180.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. --- gnu/local.mk | 1 + 1 file changed, 1 insertion(+) (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index db8be36fb4..5cc8b64aa0 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -644,6 +644,7 @@ dist_patch_DATA = \ %D%/packages/patches/ghostscript-runpath.patch \ %D%/packages/patches/glib-networking-ssl-cert-file.patch \ %D%/packages/patches/glib-tests-timer.patch \ + %D%/packages/patches/glibc-CVE-2015-5180.patch \ %D%/packages/patches/glibc-CVE-2017-1000366-pt1.patch \ %D%/packages/patches/glibc-CVE-2017-1000366-pt2.patch \ %D%/packages/patches/glibc-CVE-2017-1000366-pt3.patch \ -- cgit 1.4.1 From a0ae64a334ce4dda269828bbb3c9182842e5cd50 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Wed, 2 Aug 2017 21:11:57 +0300 Subject: gnu: glibc@2.23: Fix CVE-2015-5180, CVE-2016-{3075,3706,4429}. * gnu/packages/base.scm (glibc@2.23)[source]: Add patches. * gnu/packages/patches/glibc-CVE-2016-3075.patch, gnu/packages/patches/glibc-CVE-2016-3706.patch, gnu/packages/patches/glibc-CVE-2016-4429.patch: New files. * gnu/local.mk (dist_patch_DATA): Register them. --- gnu/local.mk | 3 + gnu/packages/base.scm | 4 + gnu/packages/patches/glibc-CVE-2016-3075.patch | 43 ++++++ gnu/packages/patches/glibc-CVE-2016-3706.patch | 188 +++++++++++++++++++++++++ gnu/packages/patches/glibc-CVE-2016-4429.patch | 58 ++++++++ 5 files changed, 296 insertions(+) create mode 100644 gnu/packages/patches/glibc-CVE-2016-3075.patch create mode 100644 gnu/packages/patches/glibc-CVE-2016-3706.patch create mode 100644 gnu/packages/patches/glibc-CVE-2016-4429.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 5cc8b64aa0..67150aed67 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -645,6 +645,9 @@ dist_patch_DATA = \ %D%/packages/patches/glib-networking-ssl-cert-file.patch \ %D%/packages/patches/glib-tests-timer.patch \ %D%/packages/patches/glibc-CVE-2015-5180.patch \ + %D%/packages/patches/glibc-CVE-2016-3075.patch \ + %D%/packages/patches/glibc-CVE-2016-3706.patch \ + %D%/packages/patches/glibc-CVE-2016-4429.patch \ %D%/packages/patches/glibc-CVE-2017-1000366-pt1.patch \ %D%/packages/patches/glibc-CVE-2017-1000366-pt2.patch \ %D%/packages/patches/glibc-CVE-2017-1000366-pt3.patch \ diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index f23db9a778..37e09eb8ce 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -953,6 +953,10 @@ GLIBC/HURD for a Hurd host" "glibc-versioned-locpath.patch" "glibc-o-largefile.patch" "glibc-vectorized-strcspn-guards.patch" + "glibc-CVE-2015-5180.patch" + "glibc-CVE-2016-3075.patch" + "glibc-CVE-2016-3706.patch" + "glibc-CVE-2016-4429.patch" "glibc-CVE-2017-1000366-pt1.patch" "glibc-CVE-2017-1000366-pt2.patch" "glibc-CVE-2017-1000366-pt3.patch")))))) diff --git a/gnu/packages/patches/glibc-CVE-2016-3075.patch b/gnu/packages/patches/glibc-CVE-2016-3075.patch new file mode 100644 index 0000000000..d16722806e --- /dev/null +++ b/gnu/packages/patches/glibc-CVE-2016-3075.patch @@ -0,0 +1,43 @@ +From 146b58d11fddbef15b888906e3be4f33900c416f Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Tue, 29 Mar 2016 12:57:56 +0200 +Subject: [PATCH] CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r [BZ + #19879] + +The defensive copy is not needed because the name may not alias the +output buffer. + +(cherry picked from commit 317b199b4aff8cfa27f2302ab404d2bb5032b9a4) +(cherry picked from commit 883dceebc8f11921a9890211a4e202e5be17562f) +--- + ChangeLog | 7 +++++++ + NEWS | 10 ++++++++-- + resolv/nss_dns/dns-network.c | 5 +---- + 3 files changed, 16 insertions(+), 6 deletions(-) + +diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c +index 2eb2f67..8f301a7 100644 +--- a/resolv/nss_dns/dns-network.c ++++ b/resolv/nss_dns/dns-network.c +@@ -118,17 +118,14 @@ _nss_dns_getnetbyname_r (const char *name, struct netent *result, + } net_buffer; + querybuf *orig_net_buffer; + int anslen; +- char *qbuf; + enum nss_status status; + + if (__res_maybe_init (&_res, 0) == -1) + return NSS_STATUS_UNAVAIL; + +- qbuf = strdupa (name); +- + net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024); + +- anslen = __libc_res_nsearch (&_res, qbuf, C_IN, T_PTR, net_buffer.buf->buf, ++ anslen = __libc_res_nsearch (&_res, name, C_IN, T_PTR, net_buffer.buf->buf, + 1024, &net_buffer.ptr, NULL, NULL, NULL, NULL); + if (anslen < 0) + { +-- +2.9.3 + diff --git a/gnu/packages/patches/glibc-CVE-2016-3706.patch b/gnu/packages/patches/glibc-CVE-2016-3706.patch new file mode 100644 index 0000000000..617242df24 --- /dev/null +++ b/gnu/packages/patches/glibc-CVE-2016-3706.patch @@ -0,0 +1,188 @@ +From 1a8a7c12950a0026a3c406a7cb1608f96aa1460e Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Fri, 29 Apr 2016 10:35:34 +0200 +Subject: [PATCH] CVE-2016-3706: getaddrinfo: stack overflow in hostent + conversion [BZ #20010] + +When converting a struct hostent response to struct gaih_addrtuple, the +gethosts macro (which is called from gaih_inet) used alloca, without +malloc fallback for large responses. This commit changes this code to +use calloc unconditionally. + +This commit also consolidated a second hostent-to-gaih_addrtuple +conversion loop (in gaih_inet) to use the new conversion function. + +(cherry picked from commit 4ab2ab03d4351914ee53248dc5aef4a8c88ff8b9) +--- + ChangeLog | 10 ++++ + sysdeps/posix/getaddrinfo.c | 130 +++++++++++++++++++++++--------------------- + 2 files changed, 79 insertions(+), 61 deletions(-) + +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c +index 1ef3f20..fed2d3b 100644 +--- a/sysdeps/posix/getaddrinfo.c ++++ b/sysdeps/posix/getaddrinfo.c +@@ -168,9 +168,58 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp, + return 0; + } + ++/* Convert struct hostent to a list of struct gaih_addrtuple objects. ++ h_name is not copied, and the struct hostent object must not be ++ deallocated prematurely. *RESULT must be NULL or a pointer to an ++ object allocated using malloc, which is freed. */ ++static bool ++convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, ++ int family, ++ struct hostent *h, ++ struct gaih_addrtuple **result) ++{ ++ free (*result); ++ *result = NULL; ++ ++ /* Count the number of addresses in h->h_addr_list. */ ++ size_t count = 0; ++ for (char **p = h->h_addr_list; *p != NULL; ++p) ++ ++count; ++ ++ /* Report no data if no addresses are available, or if the incoming ++ address size is larger than what we can store. */ ++ if (count == 0 || h->h_length > sizeof (((struct gaih_addrtuple) {}).addr)) ++ return true; ++ ++ struct gaih_addrtuple *array = calloc (count, sizeof (*array)); ++ if (array == NULL) ++ return false; ++ ++ for (size_t i = 0; i < count; ++i) ++ { ++ if (family == AF_INET && req->ai_family == AF_INET6) ++ { ++ /* Perform address mapping. */ ++ array[i].family = AF_INET6; ++ memcpy(array[i].addr + 3, h->h_addr_list[i], sizeof (uint32_t)); ++ array[i].addr[2] = htonl (0xffff); ++ } ++ else ++ { ++ array[i].family = family; ++ memcpy (array[i].addr, h->h_addr_list[i], h->h_length); ++ } ++ array[i].next = array + i + 1; ++ } ++ array[0].name = h->h_name; ++ array[count - 1].next = NULL; ++ ++ *result = array; ++ return true; ++} ++ + #define gethosts(_family, _type) \ + { \ +- int i; \ + int herrno; \ + struct hostent th; \ + struct hostent *h; \ +@@ -219,36 +268,23 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp, + } \ + else if (h != NULL) \ + { \ +- for (i = 0; h->h_addr_list[i]; i++) \ ++ /* Make sure that addrmem can be freed. */ \ ++ if (!malloc_addrmem) \ ++ addrmem = NULL; \ ++ if (!convert_hostent_to_gaih_addrtuple (req, _family,h, &addrmem)) \ + { \ +- if (*pat == NULL) \ +- { \ +- *pat = __alloca (sizeof (struct gaih_addrtuple)); \ +- (*pat)->scopeid = 0; \ +- } \ +- uint32_t *addr = (*pat)->addr; \ +- (*pat)->next = NULL; \ +- (*pat)->name = i == 0 ? strdupa (h->h_name) : NULL; \ +- if (_family == AF_INET && req->ai_family == AF_INET6) \ +- { \ +- (*pat)->family = AF_INET6; \ +- addr[3] = *(uint32_t *) h->h_addr_list[i]; \ +- addr[2] = htonl (0xffff); \ +- addr[1] = 0; \ +- addr[0] = 0; \ +- } \ +- else \ +- { \ +- (*pat)->family = _family; \ +- memcpy (addr, h->h_addr_list[i], sizeof(_type)); \ +- } \ +- pat = &((*pat)->next); \ ++ _res.options |= old_res_options & RES_USE_INET6; \ ++ result = -EAI_SYSTEM; \ ++ goto free_and_return; \ + } \ ++ *pat = addrmem; \ ++ /* The conversion uses malloc unconditionally. */ \ ++ malloc_addrmem = true; \ + \ + if (localcanon != NULL && canon == NULL) \ + canon = strdupa (localcanon); \ + \ +- if (_family == AF_INET6 && i > 0) \ ++ if (_family == AF_INET6 && *pat != NULL) \ + got_ipv6 = true; \ + } \ + } +@@ -612,44 +648,16 @@ gaih_inet (const char *name, const struct gaih_service *service, + { + if (h != NULL) + { +- int i; +- /* We found data, count the number of addresses. */ +- for (i = 0; h->h_addr_list[i]; ++i) +- ; +- if (i > 0 && *pat != NULL) +- --i; +- +- if (__libc_use_alloca (alloca_used +- + i * sizeof (struct gaih_addrtuple))) +- addrmem = alloca_account (i * sizeof (struct gaih_addrtuple), +- alloca_used); +- else +- { +- addrmem = malloc (i +- * sizeof (struct gaih_addrtuple)); +- if (addrmem == NULL) +- { +- result = -EAI_MEMORY; +- goto free_and_return; +- } +- malloc_addrmem = true; +- } +- +- /* Now convert it into the list. */ +- struct gaih_addrtuple *addrfree = addrmem; +- for (i = 0; h->h_addr_list[i]; ++i) ++ /* We found data, convert it. */ ++ if (!convert_hostent_to_gaih_addrtuple ++ (req, AF_INET, h, &addrmem)) + { +- if (*pat == NULL) +- { +- *pat = addrfree++; +- (*pat)->scopeid = 0; +- } +- (*pat)->next = NULL; +- (*pat)->family = AF_INET; +- memcpy ((*pat)->addr, h->h_addr_list[i], +- h->h_length); +- pat = &((*pat)->next); ++ result = -EAI_MEMORY; ++ goto free_and_return; + } ++ *pat = addrmem; ++ /* The conversion uses malloc unconditionally. */ ++ malloc_addrmem = true; + } + } + else +-- +2.9.3 + diff --git a/gnu/packages/patches/glibc-CVE-2016-4429.patch b/gnu/packages/patches/glibc-CVE-2016-4429.patch new file mode 100644 index 0000000000..5eebd10543 --- /dev/null +++ b/gnu/packages/patches/glibc-CVE-2016-4429.patch @@ -0,0 +1,58 @@ +From bdce95930e1d9a7d013d1ba78740243491262879 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Mon, 23 May 2016 20:18:34 +0200 +Subject: [PATCH] CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ + #20112] + +The call is technically in a loop, and under certain circumstances +(which are quite difficult to reproduce in a test case), alloca +can be invoked repeatedly during a single call to clntudp_call. +As a result, the available stack space can be exhausted (even +though individual alloca sizes are bounded implicitly by what +can fit into a UDP packet, as a side effect of the earlier +successful send operation). + +(cherry picked from commit bc779a1a5b3035133024b21e2f339fe4219fb11c) +--- + ChangeLog | 7 +++++++ + NEWS | 4 ++++ + sunrpc/clnt_udp.c | 10 +++++++++- + 3 files changed, 20 insertions(+), 1 deletion(-) + +diff --git a/sunrpc/clnt_udp.c b/sunrpc/clnt_udp.c +index a6cf5f1..4d9acb1 100644 +--- a/sunrpc/clnt_udp.c ++++ b/sunrpc/clnt_udp.c +@@ -388,9 +388,15 @@ send_again: + struct sock_extended_err *e; + struct sockaddr_in err_addr; + struct iovec iov; +- char *cbuf = (char *) alloca (outlen + 256); ++ char *cbuf = malloc (outlen + 256); + int ret; + ++ if (cbuf == NULL) ++ { ++ cu->cu_error.re_errno = errno; ++ return (cu->cu_error.re_status = RPC_CANTRECV); ++ } ++ + iov.iov_base = cbuf + 256; + iov.iov_len = outlen; + msg.msg_name = (void *) &err_addr; +@@ -415,10 +421,12 @@ send_again: + cmsg = CMSG_NXTHDR (&msg, cmsg)) + if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR) + { ++ free (cbuf); + e = (struct sock_extended_err *) CMSG_DATA(cmsg); + cu->cu_error.re_errno = e->ee_errno; + return (cu->cu_error.re_status = RPC_CANTRECV); + } ++ free (cbuf); + } + #endif + do +-- +2.9.3 + -- cgit 1.4.1 From edd08fb7ac86afe1886f348001bbf088e48a8741 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Wed, 2 Aug 2017 21:45:37 +0300 Subject: gnu: glibc@2.22: Fix security issues. Fixes CVE-2015-{5180,7547}, CVE-2016-{3075,3706,4429}. * gnu/packages/base.scm (glibc@2.22)[source]: Add patches. * gnu/packages/patches/glibc-CVE-2015-7547.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. --- gnu/local.mk | 1 + gnu/packages/base.scm | 5 + gnu/packages/patches/glibc-CVE-2015-7547.patch | 590 +++++++++++++++++++++++++ 3 files changed, 596 insertions(+) create mode 100644 gnu/packages/patches/glibc-CVE-2015-7547.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 67150aed67..f4fef78f31 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -645,6 +645,7 @@ dist_patch_DATA = \ %D%/packages/patches/glib-networking-ssl-cert-file.patch \ %D%/packages/patches/glib-tests-timer.patch \ %D%/packages/patches/glibc-CVE-2015-5180.patch \ + %D%/packages/patches/glibc-CVE-2015-7547.patch \ %D%/packages/patches/glibc-CVE-2016-3075.patch \ %D%/packages/patches/glibc-CVE-2016-3706.patch \ %D%/packages/patches/glibc-CVE-2016-4429.patch \ diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index 37e09eb8ce..da2c6dead6 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -974,6 +974,11 @@ GLIBC/HURD for a Hurd host" "0j49682pm2nh4qbdw35bas82p1pgfnz4d2l7iwfyzvrvj0318wzb")) (patches (search-patches "glibc-ldd-x86_64.patch" "glibc-vectorized-strcspn-guards.patch" + "glibc-CVE-2015-5180.patch" + "glibc-CVE-2015-7547.patch" + "glibc-CVE-2016-3075.patch" + "glibc-CVE-2016-3706.patch" + "glibc-CVE-2016-4429.patch" "glibc-CVE-2017-1000366-pt1.patch" "glibc-CVE-2017-1000366-pt2.patch" "glibc-CVE-2017-1000366-pt3.patch")))) diff --git a/gnu/packages/patches/glibc-CVE-2015-7547.patch b/gnu/packages/patches/glibc-CVE-2015-7547.patch new file mode 100644 index 0000000000..12abeb76d4 --- /dev/null +++ b/gnu/packages/patches/glibc-CVE-2015-7547.patch @@ -0,0 +1,590 @@ +From b995d95a5943785be3ab862b2d3276f3b4a22481 Mon Sep 17 00:00:00 2001 +From: Carlos O'Donell +Date: Tue, 16 Feb 2016 21:26:37 -0500 +Subject: [PATCH] CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug + 18665). + +* A stack-based buffer overflow was found in libresolv when invoked from + libnss_dns, allowing specially crafted DNS responses to seize control + of execution flow in the DNS client. The buffer overflow occurs in + the functions send_dg (send datagram) and send_vc (send TCP) for the + NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC + family. The use of AF_UNSPEC triggers the low-level resolver code to + send out two parallel queries for A and AAAA. A mismanagement of the + buffers used for those queries could result in the response of a query + writing beyond the alloca allocated buffer created by + _nss_dns_gethostbyname4_r. Buffer management is simplified to remove + the overflow. Thanks to the Google Security Team and Red Hat for + reporting the security impact of this issue, and Robert Holiday of + Ciena for reporting the related bug 18665. (CVE-2015-7547) + +See also: +https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html +https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html + +(cherry picked from commit e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca) +--- + ChangeLog | 15 +++ + NEWS | 14 +++ + resolv/nss_dns/dns-host.c | 111 ++++++++++++++++++- + resolv/res_query.c | 3 + + resolv/res_send.c | 264 ++++++++++++++++++++++++++++++++++------------ + 5 files changed, 338 insertions(+), 69 deletions(-) + +diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c +index 357ac04..a0fe9a8 100644 +--- a/resolv/nss_dns/dns-host.c ++++ b/resolv/nss_dns/dns-host.c +@@ -1031,7 +1031,10 @@ gaih_getanswer_slice (const querybuf *answer, int anslen, const char *qname, + int h_namelen = 0; + + if (ancount == 0) +- return NSS_STATUS_NOTFOUND; ++ { ++ *h_errnop = HOST_NOT_FOUND; ++ return NSS_STATUS_NOTFOUND; ++ } + + while (ancount-- > 0 && cp < end_of_message && had_error == 0) + { +@@ -1208,7 +1211,14 @@ gaih_getanswer_slice (const querybuf *answer, int anslen, const char *qname, + /* Special case here: if the resolver sent a result but it only + contains a CNAME while we are looking for a T_A or T_AAAA record, + we fail with NOTFOUND instead of TRYAGAIN. */ +- return canon == NULL ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND; ++ if (canon != NULL) ++ { ++ *h_errnop = HOST_NOT_FOUND; ++ return NSS_STATUS_NOTFOUND; ++ } ++ ++ *h_errnop = NETDB_INTERNAL; ++ return NSS_STATUS_TRYAGAIN; + } + + +@@ -1222,11 +1232,101 @@ gaih_getanswer (const querybuf *answer1, int anslen1, const querybuf *answer2, + + enum nss_status status = NSS_STATUS_NOTFOUND; + ++ /* Combining the NSS status of two distinct queries requires some ++ compromise and attention to symmetry (A or AAAA queries can be ++ returned in any order). What follows is a breakdown of how this ++ code is expected to work and why. We discuss only SUCCESS, ++ TRYAGAIN, NOTFOUND and UNAVAIL, since they are the only returns ++ that apply (though RETURN and MERGE exist). We make a distinction ++ between TRYAGAIN (recoverable) and TRYAGAIN' (not-recoverable). ++ A recoverable TRYAGAIN is almost always due to buffer size issues ++ and returns ERANGE in errno and the caller is expected to retry ++ with a larger buffer. ++ ++ Lastly, you may be tempted to make significant changes to the ++ conditions in this code to bring about symmetry between responses. ++ Please don't change anything without due consideration for ++ expected application behaviour. Some of the synthesized responses ++ aren't very well thought out and sometimes appear to imply that ++ IPv4 responses are always answer 1, and IPv6 responses are always ++ answer 2, but that's not true (see the implementation of send_dg ++ and send_vc to see response can arrive in any order, particularly ++ for UDP). However, we expect it holds roughly enough of the time ++ that this code works, but certainly needs to be fixed to make this ++ a more robust implementation. ++ ++ ---------------------------------------------- ++ | Answer 1 Status / | Synthesized | Reason | ++ | Answer 2 Status | Status | | ++ |--------------------------------------------| ++ | SUCCESS/SUCCESS | SUCCESS | [1] | ++ | SUCCESS/TRYAGAIN | TRYAGAIN | [5] | ++ | SUCCESS/TRYAGAIN' | SUCCESS | [1] | ++ | SUCCESS/NOTFOUND | SUCCESS | [1] | ++ | SUCCESS/UNAVAIL | SUCCESS | [1] | ++ | TRYAGAIN/SUCCESS | TRYAGAIN | [2] | ++ | TRYAGAIN/TRYAGAIN | TRYAGAIN | [2] | ++ | TRYAGAIN/TRYAGAIN' | TRYAGAIN | [2] | ++ | TRYAGAIN/NOTFOUND | TRYAGAIN | [2] | ++ | TRYAGAIN/UNAVAIL | TRYAGAIN | [2] | ++ | TRYAGAIN'/SUCCESS | SUCCESS | [3] | ++ | TRYAGAIN'/TRYAGAIN | TRYAGAIN | [3] | ++ | TRYAGAIN'/TRYAGAIN' | TRYAGAIN' | [3] | ++ | TRYAGAIN'/NOTFOUND | TRYAGAIN' | [3] | ++ | TRYAGAIN'/UNAVAIL | UNAVAIL | [3] | ++ | NOTFOUND/SUCCESS | SUCCESS | [3] | ++ | NOTFOUND/TRYAGAIN | TRYAGAIN | [3] | ++ | NOTFOUND/TRYAGAIN' | TRYAGAIN' | [3] | ++ | NOTFOUND/NOTFOUND | NOTFOUND | [3] | ++ | NOTFOUND/UNAVAIL | UNAVAIL | [3] | ++ | UNAVAIL/SUCCESS | UNAVAIL | [4] | ++ | UNAVAIL/TRYAGAIN | UNAVAIL | [4] | ++ | UNAVAIL/TRYAGAIN' | UNAVAIL | [4] | ++ | UNAVAIL/NOTFOUND | UNAVAIL | [4] | ++ | UNAVAIL/UNAVAIL | UNAVAIL | [4] | ++ ---------------------------------------------- ++ ++ [1] If the first response is a success we return success. ++ This ignores the state of the second answer and in fact ++ incorrectly sets errno and h_errno to that of the second ++ answer. However because the response is a success we ignore ++ *errnop and *h_errnop (though that means you touched errno on ++ success). We are being conservative here and returning the ++ likely IPv4 response in the first answer as a success. ++ ++ [2] If the first response is a recoverable TRYAGAIN we return ++ that instead of looking at the second response. The ++ expectation here is that we have failed to get an IPv4 response ++ and should retry both queries. ++ ++ [3] If the first response was not a SUCCESS and the second ++ response is not NOTFOUND (had a SUCCESS, need to TRYAGAIN, ++ or failed entirely e.g. TRYAGAIN' and UNAVAIL) then use the ++ result from the second response, otherwise the first responses ++ status is used. Again we have some odd side-effects when the ++ second response is NOTFOUND because we overwrite *errnop and ++ *h_errnop that means that a first answer of NOTFOUND might see ++ its *errnop and *h_errnop values altered. Whether it matters ++ in practice that a first response NOTFOUND has the wrong ++ *errnop and *h_errnop is undecided. ++ ++ [4] If the first response is UNAVAIL we return that instead of ++ looking at the second response. The expectation here is that ++ it will have failed similarly e.g. configuration failure. ++ ++ [5] Testing this code is complicated by the fact that truncated ++ second response buffers might be returned as SUCCESS if the ++ first answer is a SUCCESS. To fix this we add symmetry to ++ TRYAGAIN with the second response. If the second response ++ is a recoverable error we now return TRYAGIN even if the first ++ response was SUCCESS. */ ++ + if (anslen1 > 0) + status = gaih_getanswer_slice(answer1, anslen1, qname, + &pat, &buffer, &buflen, + errnop, h_errnop, ttlp, + &first); ++ + if ((status == NSS_STATUS_SUCCESS || status == NSS_STATUS_NOTFOUND + || (status == NSS_STATUS_TRYAGAIN + /* We want to look at the second answer in case of an +@@ -1242,8 +1342,15 @@ gaih_getanswer (const querybuf *answer1, int anslen1, const querybuf *answer2, + &pat, &buffer, &buflen, + errnop, h_errnop, ttlp, + &first); ++ /* Use the second response status in some cases. */ + if (status != NSS_STATUS_SUCCESS && status2 != NSS_STATUS_NOTFOUND) + status = status2; ++ /* Do not return a truncated second response (unless it was ++ unavoidable e.g. unrecoverable TRYAGAIN). */ ++ if (status == NSS_STATUS_SUCCESS ++ && (status2 == NSS_STATUS_TRYAGAIN ++ && *errnop == ERANGE && *h_errnop != NO_RECOVERY)) ++ status = NSS_STATUS_TRYAGAIN; + } + + return status; +diff --git a/resolv/res_query.c b/resolv/res_query.c +index 4a9b3b3..95470a9 100644 +--- a/resolv/res_query.c ++++ b/resolv/res_query.c +@@ -396,6 +396,7 @@ __libc_res_nsearch(res_state statp, + { + free (*answerp2); + *answerp2 = NULL; ++ *nanswerp2 = 0; + *answerp2_malloced = 0; + } + } +@@ -447,6 +448,7 @@ __libc_res_nsearch(res_state statp, + { + free (*answerp2); + *answerp2 = NULL; ++ *nanswerp2 = 0; + *answerp2_malloced = 0; + } + +@@ -521,6 +523,7 @@ __libc_res_nsearch(res_state statp, + { + free (*answerp2); + *answerp2 = NULL; ++ *nanswerp2 = 0; + *answerp2_malloced = 0; + } + if (saved_herrno != -1) +diff --git a/resolv/res_send.c b/resolv/res_send.c +index 5e53cc2..6511bb1 100644 +--- a/resolv/res_send.c ++++ b/resolv/res_send.c +@@ -1,3 +1,20 @@ ++/* Copyright (C) 2016 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ + /* + * Copyright (c) 1985, 1989, 1993 + * The Regents of the University of California. All rights reserved. +@@ -363,6 +380,8 @@ __libc_res_nsend(res_state statp, const u_char *buf, int buflen, + #ifdef USE_HOOKS + if (__glibc_unlikely (statp->qhook || statp->rhook)) { + if (anssiz < MAXPACKET && ansp) { ++ /* Always allocate MAXPACKET, callers expect ++ this specific size. */ + u_char *buf = malloc (MAXPACKET); + if (buf == NULL) + return (-1); +@@ -638,6 +657,77 @@ get_nsaddr (res_state statp, int n) + return (struct sockaddr *) (void *) &statp->nsaddr_list[n]; + } + ++/* The send_vc function is responsible for sending a DNS query over TCP ++ to the nameserver numbered NS from the res_state STATP i.e. ++ EXT(statp).nssocks[ns]. The function supports sending both IPv4 and ++ IPv6 queries at the same serially on the same socket. ++ ++ Please note that for TCP there is no way to disable sending both ++ queries, unlike UDP, which honours RES_SNGLKUP and RES_SNGLKUPREOP ++ and sends the queries serially and waits for the result after each ++ sent query. This implemetnation should be corrected to honour these ++ options. ++ ++ Please also note that for TCP we send both queries over the same ++ socket one after another. This technically violates best practice ++ since the server is allowed to read the first query, respond, and ++ then close the socket (to service another client). If the server ++ does this, then the remaining second query in the socket data buffer ++ will cause the server to send the client an RST which will arrive ++ asynchronously and the client's OS will likely tear down the socket ++ receive buffer resulting in a potentially short read and lost ++ response data. This will force the client to retry the query again, ++ and this process may repeat until all servers and connection resets ++ are exhausted and then the query will fail. It's not known if this ++ happens with any frequency in real DNS server implementations. This ++ implementation should be corrected to use two sockets by default for ++ parallel queries. ++ ++ The query stored in BUF of BUFLEN length is sent first followed by ++ the query stored in BUF2 of BUFLEN2 length. Queries are sent ++ serially on the same socket. ++ ++ Answers to the query are stored firstly in *ANSP up to a max of ++ *ANSSIZP bytes. If more than *ANSSIZP bytes are needed and ANSCP ++ is non-NULL (to indicate that modifying the answer buffer is allowed) ++ then malloc is used to allocate a new response buffer and ANSCP and ++ ANSP will both point to the new buffer. If more than *ANSSIZP bytes ++ are needed but ANSCP is NULL, then as much of the response as ++ possible is read into the buffer, but the results will be truncated. ++ When truncation happens because of a small answer buffer the DNS ++ packets header field TC will bet set to 1, indicating a truncated ++ message and the rest of the socket data will be read and discarded. ++ ++ Answers to the query are stored secondly in *ANSP2 up to a max of ++ *ANSSIZP2 bytes, with the actual response length stored in ++ *RESPLEN2. If more than *ANSSIZP bytes are needed and ANSP2 ++ is non-NULL (required for a second query) then malloc is used to ++ allocate a new response buffer, *ANSSIZP2 is set to the new buffer ++ size and *ANSP2_MALLOCED is set to 1. ++ ++ The ANSP2_MALLOCED argument will eventually be removed as the ++ change in buffer pointer can be used to detect the buffer has ++ changed and that the caller should use free on the new buffer. ++ ++ Note that the answers may arrive in any order from the server and ++ therefore the first and second answer buffers may not correspond to ++ the first and second queries. ++ ++ It is not supported to call this function with a non-NULL ANSP2 ++ but a NULL ANSCP. Put another way, you can call send_vc with a ++ single unmodifiable buffer or two modifiable buffers, but no other ++ combination is supported. ++ ++ It is the caller's responsibility to free the malloc allocated ++ buffers by detecting that the pointers have changed from their ++ original values i.e. *ANSCP or *ANSP2 has changed. ++ ++ If errors are encountered then *TERRNO is set to an appropriate ++ errno value and a zero result is returned for a recoverable error, ++ and a less-than zero result is returned for a non-recoverable error. ++ ++ If no errors are encountered then *TERRNO is left unmodified and ++ a the length of the first response in bytes is returned. */ + static int + send_vc(res_state statp, + const u_char *buf, int buflen, const u_char *buf2, int buflen2, +@@ -647,11 +737,7 @@ send_vc(res_state statp, + { + const HEADER *hp = (HEADER *) buf; + const HEADER *hp2 = (HEADER *) buf2; +- u_char *ans = *ansp; +- int orig_anssizp = *anssizp; +- // XXX REMOVE +- // int anssiz = *anssizp; +- HEADER *anhp = (HEADER *) ans; ++ HEADER *anhp = (HEADER *) *ansp; + struct sockaddr *nsap = get_nsaddr (statp, ns); + int truncating, connreset, n; + /* On some architectures compiler might emit a warning indicating +@@ -743,6 +829,8 @@ send_vc(res_state statp, + * Receive length & response + */ + int recvresp1 = 0; ++ /* Skip the second response if there is no second query. ++ To do that we mark the second response as received. */ + int recvresp2 = buf2 == NULL; + uint16_t rlen16; + read_len: +@@ -779,40 +867,14 @@ send_vc(res_state statp, + u_char **thisansp; + int *thisresplenp; + if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) { ++ /* We have not received any responses ++ yet or we only have one response to ++ receive. */ + thisanssizp = anssizp; + thisansp = anscp ?: ansp; + assert (anscp != NULL || ansp2 == NULL); + thisresplenp = &resplen; + } else { +- if (*anssizp != MAXPACKET) { +- /* No buffer allocated for the first +- reply. We can try to use the rest +- of the user-provided buffer. */ +-#if __GNUC_PREREQ (4, 7) +- DIAG_PUSH_NEEDS_COMMENT; +- DIAG_IGNORE_NEEDS_COMMENT (5, "-Wmaybe-uninitialized"); +-#endif +-#if _STRING_ARCH_unaligned +- *anssizp2 = orig_anssizp - resplen; +- *ansp2 = *ansp + resplen; +-#else +- int aligned_resplen +- = ((resplen + __alignof__ (HEADER) - 1) +- & ~(__alignof__ (HEADER) - 1)); +- *anssizp2 = orig_anssizp - aligned_resplen; +- *ansp2 = *ansp + aligned_resplen; +-#endif +-#if __GNUC_PREREQ (4, 7) +- DIAG_POP_NEEDS_COMMENT; +-#endif +- } else { +- /* The first reply did not fit into the +- user-provided buffer. Maybe the second +- answer will. */ +- *anssizp2 = orig_anssizp; +- *ansp2 = *ansp; +- } +- + thisanssizp = anssizp2; + thisansp = ansp2; + thisresplenp = resplen2; +@@ -820,10 +882,14 @@ send_vc(res_state statp, + anhp = (HEADER *) *thisansp; + + *thisresplenp = rlen; +- if (rlen > *thisanssizp) { +- /* Yes, we test ANSCP here. If we have two buffers +- both will be allocatable. */ +- if (__glibc_likely (anscp != NULL)) { ++ /* Is the answer buffer too small? */ ++ if (*thisanssizp < rlen) { ++ /* If the current buffer is not the the static ++ user-supplied buffer then we can reallocate ++ it. */ ++ if (thisansp != NULL && thisansp != ansp) { ++ /* Always allocate MAXPACKET, callers expect ++ this specific size. */ + u_char *newp = malloc (MAXPACKET); + if (newp == NULL) { + *terrno = ENOMEM; +@@ -835,6 +901,9 @@ send_vc(res_state statp, + if (thisansp == ansp2) + *ansp2_malloced = 1; + anhp = (HEADER *) newp; ++ /* A uint16_t can't be larger than MAXPACKET ++ thus it's safe to allocate MAXPACKET but ++ read RLEN bytes instead. */ + len = rlen; + } else { + Dprint(statp->options & RES_DEBUG, +@@ -997,6 +1066,66 @@ reopen (res_state statp, int *terrno, int ns) + return 1; + } + ++/* The send_dg function is responsible for sending a DNS query over UDP ++ to the nameserver numbered NS from the res_state STATP i.e. ++ EXT(statp).nssocks[ns]. The function supports IPv4 and IPv6 queries ++ along with the ability to send the query in parallel for both stacks ++ (default) or serially (RES_SINGLKUP). It also supports serial lookup ++ with a close and reopen of the socket used to talk to the server ++ (RES_SNGLKUPREOP) to work around broken name servers. ++ ++ The query stored in BUF of BUFLEN length is sent first followed by ++ the query stored in BUF2 of BUFLEN2 length. Queries are sent ++ in parallel (default) or serially (RES_SINGLKUP or RES_SNGLKUPREOP). ++ ++ Answers to the query are stored firstly in *ANSP up to a max of ++ *ANSSIZP bytes. If more than *ANSSIZP bytes are needed and ANSCP ++ is non-NULL (to indicate that modifying the answer buffer is allowed) ++ then malloc is used to allocate a new response buffer and ANSCP and ++ ANSP will both point to the new buffer. If more than *ANSSIZP bytes ++ are needed but ANSCP is NULL, then as much of the response as ++ possible is read into the buffer, but the results will be truncated. ++ When truncation happens because of a small answer buffer the DNS ++ packets header field TC will bet set to 1, indicating a truncated ++ message, while the rest of the UDP packet is discarded. ++ ++ Answers to the query are stored secondly in *ANSP2 up to a max of ++ *ANSSIZP2 bytes, with the actual response length stored in ++ *RESPLEN2. If more than *ANSSIZP bytes are needed and ANSP2 ++ is non-NULL (required for a second query) then malloc is used to ++ allocate a new response buffer, *ANSSIZP2 is set to the new buffer ++ size and *ANSP2_MALLOCED is set to 1. ++ ++ The ANSP2_MALLOCED argument will eventually be removed as the ++ change in buffer pointer can be used to detect the buffer has ++ changed and that the caller should use free on the new buffer. ++ ++ Note that the answers may arrive in any order from the server and ++ therefore the first and second answer buffers may not correspond to ++ the first and second queries. ++ ++ It is not supported to call this function with a non-NULL ANSP2 ++ but a NULL ANSCP. Put another way, you can call send_vc with a ++ single unmodifiable buffer or two modifiable buffers, but no other ++ combination is supported. ++ ++ It is the caller's responsibility to free the malloc allocated ++ buffers by detecting that the pointers have changed from their ++ original values i.e. *ANSCP or *ANSP2 has changed. ++ ++ If an answer is truncated because of UDP datagram DNS limits then ++ *V_CIRCUIT is set to 1 and the return value non-zero to indicate to ++ the caller to retry with TCP. The value *GOTSOMEWHERE is set to 1 ++ if any progress was made reading a response from the nameserver and ++ is used by the caller to distinguish between ECONNREFUSED and ++ ETIMEDOUT (the latter if *GOTSOMEWHERE is 1). ++ ++ If errors are encountered then *TERRNO is set to an appropriate ++ errno value and a zero result is returned for a recoverable error, ++ and a less-than zero result is returned for a non-recoverable error. ++ ++ If no errors are encountered then *TERRNO is left unmodified and ++ a the length of the first response in bytes is returned. */ + static int + send_dg(res_state statp, + const u_char *buf, int buflen, const u_char *buf2, int buflen2, +@@ -1006,8 +1135,6 @@ send_dg(res_state statp, + { + const HEADER *hp = (HEADER *) buf; + const HEADER *hp2 = (HEADER *) buf2; +- u_char *ans = *ansp; +- int orig_anssizp = *anssizp; + struct timespec now, timeout, finish; + struct pollfd pfd[1]; + int ptimeout; +@@ -1040,6 +1167,8 @@ send_dg(res_state statp, + int need_recompute = 0; + int nwritten = 0; + int recvresp1 = 0; ++ /* Skip the second response if there is no second query. ++ To do that we mark the second response as received. */ + int recvresp2 = buf2 == NULL; + pfd[0].fd = EXT(statp).nssocks[ns]; + pfd[0].events = POLLOUT; +@@ -1203,55 +1332,56 @@ send_dg(res_state statp, + int *thisresplenp; + + if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) { ++ /* We have not received any responses ++ yet or we only have one response to ++ receive. */ + thisanssizp = anssizp; + thisansp = anscp ?: ansp; + assert (anscp != NULL || ansp2 == NULL); + thisresplenp = &resplen; + } else { +- if (*anssizp != MAXPACKET) { +- /* No buffer allocated for the first +- reply. We can try to use the rest +- of the user-provided buffer. */ +-#if _STRING_ARCH_unaligned +- *anssizp2 = orig_anssizp - resplen; +- *ansp2 = *ansp + resplen; +-#else +- int aligned_resplen +- = ((resplen + __alignof__ (HEADER) - 1) +- & ~(__alignof__ (HEADER) - 1)); +- *anssizp2 = orig_anssizp - aligned_resplen; +- *ansp2 = *ansp + aligned_resplen; +-#endif +- } else { +- /* The first reply did not fit into the +- user-provided buffer. Maybe the second +- answer will. */ +- *anssizp2 = orig_anssizp; +- *ansp2 = *ansp; +- } +- + thisanssizp = anssizp2; + thisansp = ansp2; + thisresplenp = resplen2; + } + + if (*thisanssizp < MAXPACKET +- /* Yes, we test ANSCP here. If we have two buffers +- both will be allocatable. */ +- && anscp ++ /* If the current buffer is not the the static ++ user-supplied buffer then we can reallocate ++ it. */ ++ && (thisansp != NULL && thisansp != ansp) + #ifdef FIONREAD ++ /* Is the size too small? */ + && (ioctl (pfd[0].fd, FIONREAD, thisresplenp) < 0 + || *thisanssizp < *thisresplenp) + #endif + ) { ++ /* Always allocate MAXPACKET, callers expect ++ this specific size. */ + u_char *newp = malloc (MAXPACKET); + if (newp != NULL) { +- *anssizp = MAXPACKET; +- *thisansp = ans = newp; ++ *thisanssizp = MAXPACKET; ++ *thisansp = newp; + if (thisansp == ansp2) + *ansp2_malloced = 1; + } + } ++ /* We could end up with truncation if anscp was NULL ++ (not allowed to change caller's buffer) and the ++ response buffer size is too small. This isn't a ++ reliable way to detect truncation because the ioctl ++ may be an inaccurate report of the UDP message size. ++ Therefore we use this only to issue debug output. ++ To do truncation accurately with UDP we need ++ MSG_TRUNC which is only available on Linux. We ++ can abstract out the Linux-specific feature in the ++ future to detect truncation. */ ++ if (__glibc_unlikely (*thisanssizp < *thisresplenp)) { ++ Dprint(statp->options & RES_DEBUG, ++ (stdout, ";; response may be truncated (UDP)\n") ++ ); ++ } ++ + HEADER *anhp = (HEADER *) *thisansp; + socklen_t fromlen = sizeof(struct sockaddr_in6); + assert (sizeof(from) <= fromlen); +-- +2.9.3 + -- cgit 1.4.1 From f58be417610e65f27b90452b78255f8d88ab1b4f Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Fri, 4 Aug 2017 03:46:49 +0200 Subject: gnu: fabric: Update to 1.13.2. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * gnu/packages/admin.scm (fabric): Update to 1.13.2. Remove outdated comments. [source]: Remove ‘patches’. * gnu/packages/patches/fabric-tests.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - gnu/packages/admin.scm | 18 ++++++------------ gnu/packages/patches/fabric-tests.patch | 15 --------------- 3 files changed, 6 insertions(+), 28 deletions(-) delete mode 100644 gnu/packages/patches/fabric-tests.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index f4fef78f31..0491de6584 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -586,7 +586,6 @@ dist_patch_DATA = \ %D%/packages/patches/evilwm-lost-focus-bug.patch \ %D%/packages/patches/expat-CVE-2016-0718-fix-regression.patch \ %D%/packages/patches/exim-CVE-2017-1000369.patch \ - %D%/packages/patches/fabric-tests.patch \ %D%/packages/patches/fastcap-mulGlobal.patch \ %D%/packages/patches/fastcap-mulSetup.patch \ %D%/packages/patches/fasthenry-spAllocate.patch \ diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm index 45f743199a..c4aa108f89 100644 --- a/gnu/packages/admin.scm +++ b/gnu/packages/admin.scm @@ -2105,28 +2105,22 @@ Intel DRM Driver.") (define-public fabric (package (name "fabric") - (version "1.13.1") + (version "1.13.2") (source (origin (method url-fetch) (uri (pypi-uri "Fabric" version)) (sha256 (base32 - "1z17hw0yiqp1blq217zxkg2jzkv8qd79saqhscgsw14mwlcqpwd0")) - (patches (search-patches "fabric-tests.patch")))) + "0k944dxr41whw7ib6380q9x15wyskx7fqni656icdn8rzshn9bwq")))) (build-system python-build-system) (arguments - `(#:python ,python-2)) ;Python 2 only + `(#:python ,python-2)) ; Python 2 only (native-inputs - `(("python2-fudge" ,python2-fudge) ; Requires < 1.0 - ("python2-jinja2" ,python2-jinja2) ; Requires < 3.0 - ("python2-nose" ,python2-nose))) ; Requires < 2.0 + `(("python2-fudge" ,python2-fudge) + ("python2-jinja2" ,python2-jinja2) + ("python2-nose" ,python2-nose))) (propagated-inputs - ;; Required upgrading python-paramiko 1.17.4 to fix an incompatibility - ;; between python-paramiko and newer python-pycrypto. Without this, the - ;; `fab` command fails with "ValueError: CTR mode needs counter - ;; parameter, not IV". See: - ;; https://github.com/paramiko/paramiko/pull/714#issuecomment-281191548. `(("python2-paramiko" ,python2-paramiko))) (home-page "http://fabfile.org") (synopsis "Simple Pythonic remote execution and deployment tool") diff --git a/gnu/packages/patches/fabric-tests.patch b/gnu/packages/patches/fabric-tests.patch deleted file mode 100644 index 4a0ca9f8f1..0000000000 --- a/gnu/packages/patches/fabric-tests.patch +++ /dev/null @@ -1,15 +0,0 @@ -The `fab` excecutable doesn't exist during the test phase as it is created -dynamically during installation. Refer to the equivalent Python module -directly. - ---- a/tests/test_utils.py -+++ b/tests/test_utils.py -@@ -93,7 +93,7 @@ - # perform when they are allowed to bubble all the way to the top. So, we - # invoke a subprocess and look at its stderr instead. - with quiet(): -- result = local("fab -f tests/support/aborts.py kaboom", capture=True) -+ result = local("python -m fabric -f tests/support/aborts.py kaboom", capture=True) - # When error in #1318 is present, this has an extra "It burns!" at end of - # stderr string. - eq_(result.stderr, "Fatal error: It burns!\n\nAborting.") \ No newline at end of file -- cgit 1.4.1 From 1cec3462323717e063c98b6404e9c5c5ef037bdd Mon Sep 17 00:00:00 2001 From: Julien Lepiller Date: Thu, 3 Aug 2017 20:14:56 +0200 Subject: gnu: php: Update to 7.1.8. * gnu/packages/patches/gd-CVE-2017-7890.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it * gnu/packages/php.scm (php): Update to 7.1.8. --- gnu/local.mk | 1 + gnu/packages/patches/gd-CVE-2017-7890.patch | 30 +++++++++++++++++++++++++++++ gnu/packages/php.scm | 17 +++++++++++++--- 3 files changed, 45 insertions(+), 3 deletions(-) create mode 100644 gnu/packages/patches/gd-CVE-2017-7890.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 0491de6584..1bece24418 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -625,6 +625,7 @@ dist_patch_DATA = \ %D%/packages/patches/gcr-disable-failing-tests.patch \ %D%/packages/patches/gcr-fix-collection-tests-to-work-with-gpg-21.patch \ %D%/packages/patches/gdk-pixbuf-list-dir.patch \ + %D%/packages/patches/gd-CVE-2017-7890.patch \ %D%/packages/patches/gd-fix-gd2-read-test.patch \ %D%/packages/patches/gd-fix-tests-on-i686.patch \ %D%/packages/patches/gd-freetype-test-failure.patch \ diff --git a/gnu/packages/patches/gd-CVE-2017-7890.patch b/gnu/packages/patches/gd-CVE-2017-7890.patch new file mode 100644 index 0000000000..66034c5703 --- /dev/null +++ b/gnu/packages/patches/gd-CVE-2017-7890.patch @@ -0,0 +1,30 @@ +From 99ba5c353373ed198f54af66fe4e355ebb96e363 Mon Sep 17 00:00:00 2001 +From: LEPILLER Julien +Date: Thu, 3 Aug 2017 17:04:17 +0200 +Subject: [PATCH] Fix #399: Buffer over-read into uninitialized memory. + +The stack allocated color map buffers were not zeroed before usage, and +so undefined palette indexes could cause information leakage. + +This is CVE-2017-7890. +--- + src/gd_gif_in.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c +index 008d1ec..c195448 100644 +--- a/src/gd_gif_in.c ++++ b/src/gd_gif_in.c +@@ -216,6 +216,9 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd) + + gdImagePtr im = 0; + ++ memset(ColorMap, 0, 3 * MAXCOLORMAPSIZE); ++ memset(localColorMap, 0, 3 * MAXCOLORMAPSIZE); ++ + if(!ReadOK(fd, buf, 6)) { + return 0; + } +-- +2.13.3 + diff --git a/gnu/packages/php.scm b/gnu/packages/php.scm index 7d569eef3e..d0afab0931 100644 --- a/gnu/packages/php.scm +++ b/gnu/packages/php.scm @@ -49,10 +49,21 @@ #:use-module (guix build-system gnu) #:use-module ((guix licenses) #:prefix license:)) +(define gd-for-php + (package + (inherit gd) + (source (origin + (inherit (package-source gd)) + (patches + (append + (origin-patches (package-source gd)) + (search-patches "gd-CVE-2017-7890.patch"))))))) + + (define-public php (package (name "php") - (version "7.1.6") + (version "7.1.8") (home-page "https://secure.php.net/") (source (origin (method url-fetch) @@ -60,7 +71,7 @@ name "-" version ".tar.xz")) (sha256 (base32 - "0nr49gqhk4pv8kcdc60cl1mgwlinawpraq9ba15whzmb472lsn01")) + "1aramb6dm57pr2iz61id9vzfy7h5qkb6bf7dxhrwnjk0723qahw9")) (modules '((guix build utils))) (snippet '(with-directory-excursion "ext" @@ -282,7 +293,7 @@ ("curl" ,curl) ("cyrus-sasl" ,cyrus-sasl) ("freetype" ,freetype) - ("gd" ,gd) + ("gd" ,gd-for-php) ("gdbm" ,gdbm) ("glibc" ,glibc) ("gmp" ,gmp) -- cgit 1.4.1 From 01a61d7040b1794f36547b107abce6e967d59f21 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Tue, 25 Jul 2017 15:04:57 -0400 Subject: gnu: libtasn1: Fix CVE-2017-10790. * gnu/packages/patches/libtasn1-CVE-2017-10790.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/tls.scm (libtasn1/fixed)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/patches/libtasn1-CVE-2017-10790.patch | 63 ++++++++++++++++++++++ gnu/packages/tls.scm | 3 +- 3 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/libtasn1-CVE-2017-10790.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 1bece24418..9482d4bb53 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -775,6 +775,7 @@ dist_patch_DATA = \ %D%/packages/patches/libssh2-fix-build-failure-with-gcrypt.patch \ %D%/packages/patches/libtar-CVE-2013-4420.patch \ %D%/packages/patches/libtasn1-CVE-2017-6891.patch \ + %D%/packages/patches/libtasn1-CVE-2017-10790.patch \ %D%/packages/patches/libtheora-config-guess.patch \ %D%/packages/patches/libtiff-CVE-2016-10092.patch \ %D%/packages/patches/libtiff-CVE-2016-10093.patch \ diff --git a/gnu/packages/patches/libtasn1-CVE-2017-10790.patch b/gnu/packages/patches/libtasn1-CVE-2017-10790.patch new file mode 100644 index 0000000000..6cec0c8030 --- /dev/null +++ b/gnu/packages/patches/libtasn1-CVE-2017-10790.patch @@ -0,0 +1,63 @@ +Fix CVE-2017-10790: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10790 + +Patch copied from upstream source repository: + +https://git.savannah.nongnu.org/cgit/libtasn1.git/commit/?id=d8d805e1f2e6799bb2dff4871a8598dc83088a39 + +From d8d805e1f2e6799bb2dff4871a8598dc83088a39 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Thu, 22 Jun 2017 16:31:37 +0200 +Subject: [PATCH] _asn1_check_identifier: safer access to values read + +Signed-off-by: Nikos Mavrogiannopoulos +--- + lib/parser_aux.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/lib/parser_aux.c b/lib/parser_aux.c +index 976ab38..786ea64 100644 +--- a/lib/parser_aux.c ++++ b/lib/parser_aux.c +@@ -955,7 +955,7 @@ _asn1_check_identifier (asn1_node node) + if (p2 == NULL) + { + if (p->value) +- _asn1_strcpy (_asn1_identifierMissing, p->value); ++ _asn1_str_cpy (_asn1_identifierMissing, sizeof(_asn1_identifierMissing), (char*)p->value); + else + _asn1_strcpy (_asn1_identifierMissing, "(null)"); + return ASN1_IDENTIFIER_NOT_FOUND; +@@ -968,9 +968,15 @@ _asn1_check_identifier (asn1_node node) + if (p2 && (type_field (p2->type) == ASN1_ETYPE_DEFAULT)) + { + _asn1_str_cpy (name2, sizeof (name2), node->name); +- _asn1_str_cat (name2, sizeof (name2), "."); +- _asn1_str_cat (name2, sizeof (name2), (char *) p2->value); +- _asn1_strcpy (_asn1_identifierMissing, p2->value); ++ if (p2->value) ++ { ++ _asn1_str_cat (name2, sizeof (name2), "."); ++ _asn1_str_cat (name2, sizeof (name2), (char *) p2->value); ++ _asn1_str_cpy (_asn1_identifierMissing, sizeof(_asn1_identifierMissing), (char*)p2->value); ++ } ++ else ++ _asn1_strcpy (_asn1_identifierMissing, "(null)"); ++ + p2 = asn1_find_node (node, name2); + if (!p2 || (type_field (p2->type) != ASN1_ETYPE_OBJECT_ID) || + !(p2->type & CONST_ASSIGN)) +@@ -990,7 +996,8 @@ _asn1_check_identifier (asn1_node node) + _asn1_str_cpy (name2, sizeof (name2), node->name); + _asn1_str_cat (name2, sizeof (name2), "."); + _asn1_str_cat (name2, sizeof (name2), (char *) p2->value); +- _asn1_strcpy (_asn1_identifierMissing, p2->value); ++ _asn1_str_cpy (_asn1_identifierMissing, sizeof(_asn1_identifierMissing), (char*)p2->value); ++ + p2 = asn1_find_node (node, name2); + if (!p2 || (type_field (p2->type) != ASN1_ETYPE_OBJECT_ID) + || !(p2->type & CONST_ASSIGN)) +-- +2.13.3 + diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index 6d71a9b809..58ec9ff5ec 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -81,7 +81,8 @@ specifications.") (origin (inherit (package-source libtasn1)) (patches - (search-patches "libtasn1-CVE-2017-6891.patch")))))) + (search-patches "libtasn1-CVE-2017-6891.patch" + "libtasn1-CVE-2017-10790.patch")))))) (define-public asn1c (package -- cgit 1.4.1